How to add both ip and email access control in zero trust

What is the name of the domain?

m.example.com

What is the issue you’re encountering

I can’t get the email access login code

What steps have you taken to resolve the issue?

I searched and tried “include” and “require” rules
looks like add another policy is not good, it’s “OR” logic not a “AND” logic.

What are the steps to reproduce the issue?

Hi Guys,
I want to add both ip and email access control for one of my subdomain.
the steps are
I add an application first, and add a policy, in the policy I selected “allow”, add first include rule of ip ranges and add some ips
then I add “require email” add some emails. the problem is when I visit the subdomain, it shows the email popup but I don’t receive the auth code as other application. I double checked the email address.
and also the ip setting works, if I use a not listed ip, it will show forbidden page, until I change to a listed ip. can you help and let me know what I should do, thank you!

I agree The access pages are very confusing. The basic policy should be to allow. Then add an include rule Where the selector is authentication method and choose one time password. Then add a second require rule where the selector is IP range. And choose the range of addresses. My understanding is it will then show the opt dialog and the ip address must be in range. If you do both rules as include it can be one or the other

Having said that I also am not getting emails through so something not working as intended.

Paul